Will the shields they tell us to raise defend against the Borg?

Is an IT cybersecurity bias blinding defenders of critical infrastructure?

Have been following the warnings and advice currently given to enterprises on bolstering cyber and other defenses in the wake of the recent (January 2019) escalations of conflict between the US and Iran.  In particular the warnings that focus on advising those who use “industrial control systems and operational technology”[1].  Technologies used to monitor and control physical process found in sectors of critical infrastructure.

Well respected ICS security companies in the private sector are raising the alarm in terms of threats to the security and safety of industrial operations[2].  However I am starting to wonder if the right messages of advice are being sent by the authorities that are appropriate to the perceived threats. The US DHS CISA in its January 6th bulletin on “Increased Geopolitical Tensions and Threats” accents Iran’s ability to conduct cyber operations against strategic targets and its “increased interest in industrial control systems and operational technology”.[3]   This is encouraging to read as a general but relevant guidance.  However in its recommended actions for cyber protection the message becomes less clear for those who operate a potential strategic target such as a petrochemical facility, water supply system, and transportation system or power grid.  Under the listed actions for Cyber Protection point Nr. 7 recommends “Vulnerability Scanning and Patching”[4] while it makes for good Office IT security it  may be problematic for securing the industrial control (OT/ICS) and engineering systems used to monitor and control a physical process at a plant or manufacturing facility.

The bulletin in addition recommends implementing the “Cybersecurity and infrastructure Security Agency (CISA) Cyber Essentials” recommendations[5].  Page 1 is titled “The Leader’s Guide”[6] which as one reads further, basically rings like an IT security document.  The focus is on “Your Data” and in terms of “Systems” the accent is on “information”.  Nothing encountered  that indicates an appreciation for the importance of the security and safety of the physical process nor for the control systems and engineering systems used to keep it all safe. The impression that this is an IT security biased document is further reinforced by the flip side of the guide which is titled “The IT Professionals Guide”.  As one of the “essential actions for building a culture of cyber readiness” one finds the recommendation for “automatic updates for all operating systems and third party software”.  Do not get me wrong, there are many good things to do on this list of recommendations for the engineers to implement such developing and incident response and disaster recovery plan but the context is still the enterprises Office IT (data/information) and not about the industrial processes.  In other words these recommendations apply very well for protecting against incidents such as the 2012 cyber-attack that Shamooed 30,000 hard drives in the business part of Saudi Aramco.  Not so applicable, however for what happened at that petrochemical plant hit by Triton in 2017 and not much help for industrial enterprises like Norsk Hydro that were hit in 2019.

One wonders about the possible consequences that may result from applying these IT centric recommendations in an industrial setting.  Here we have a list of things the CEO and CISO can use to justify orders to the OT managers and senior plant engineers who are not worried so much about the Office IT but about the safety of the industrial operation they are responsible for.  Will they be able to convince the ones giving the orders that doing a vulnerability scan or implementing automated patching of control system devices and IED’s may not be a good idea? It would be useful, in addition to this IT based advice,  to come up with a separate document that would be more applicable to industrial operations. It would be called Cyber Guide of Essentials for The OT Professional and Senior Plant Engineer.  If someone knows where one is available please share.  If it does not exist then I am willing to join anyone in the SCADASEC CoI to help create one.

[1] https://www.cisa.gov/sites/default/files/publications/CISA-Insights-Increased-Geopolitical-Tensions-and-Threats-S508C.pdf

[2] https://dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf  January 2020

[3] https://www.cisa.gov/sites/default/files/publications/CISA-Insights-Increased-Geopolitical-Tensions-and-Threats-S508C.pdf

[4] Ibid.

[5] https://www.cisa.gov/sites/default/files/publications/19_1106_cisa_CISA_Cyber_Essentials_S508C_0.pdf

[6] Ibid.


NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in information technology and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) and is Co-chairman of ISA 99 Workgroup 13 that is developing Micro Learning Modules on the ISA 62443 Industrial Automation and Control System Security Standard.